The _ eventvalidation hidden field is a new security measure of ASP. NET 2.0. This function can prevent unauthorized users from sending messages from the client.
Authorization request. To ensure that each sending and callback event comes from the expected user interface elements, the page adds an additional verification layer to the event. Usually
The information in the _ eventvalidation field is matched to verify that no additional input fields are added to the client, and this value is selected from the list of known servers. Page will be generated
Create an event verification field, which is the least time to obtain the information. Like view status, the event validation field contains hash values to prevent client tampering. The control uses the registereventforvalidation method of the clientscriptmanager object to store its own secure response phase.
Information. Each control may also register its own unique ID, but this is rare. The list control also stores all values in the list. Server controls that support event verification are usually
Call the validateevent method in the implementation of ipostbackdatahandler interface. If verification fails, a security exception is thrown. Event verification can be enabled and disabled based on each page. Each control class uses the supportseventvalidation attribute to enable event verification. Currently, event verification cannot be enabled or disabled on a specific control instance. Event verification is a defense barrier set to only enter a set of known values. It only improves security protection to a higher level, but does not prevent script injection attacks. If event verification is used in an Ajax-enabled application environment, the problem may occur. In such applications, some clients can temporarily create new input elements, which may
An unknown element may cause the next sending failure. The best solution is to generate all user interfaces on the server as soon as possible, and hide them on the client using the Cascading Style Sheet display attribute. In this way,
Any user interface you want to use will be registered to the event verification field. If you want to write a custom control, you should use the supportseventvalidation attribute to set the control
Use this function
|
